On Tue, Jul 1, 2008 at 4:49 PM, Jean-Michel Pouré <jm@poure.com> wrote:
Third, I looked at the shouts module and discovered there was no indexing at all. The attackers only needed to call this module repetedly. A lot of modules use a SELECT to query a table and then explore each subsequent node sending a SELECT on each node. This is a clear overhead and can be used to attack a Drupal site. Looking at the Feeded, it seems to work this way too, except that it is correctly indexed. But this is the Drupal way to explore nodes I believe. I don't know if theses SELECTs can be replaced with LEFT JOINS.
Are you referring to the 'shout' module? <http://docs.projectopus.com/releases/shout> The quality of code in contributed modules can vary. As a general rule, the code in contrib modules is of a significantly lower standard than the code in Drupal core. Before deploying a contrib module, or before using contrib code as the foundation for your own custom code, you should review the module's issue queue, its CVS commit history, and its release status. The 'shout' module isn't even on drupal.org, and it appears that it hasn't been maintained for over 18 months. You are using such module at your own risk. You have absolutely no reason to expect to find well-constructed SQL statements in such a module. This is not the place to complain about crusty, unmaintained, random old modules. 'Feeded'? Can't find it. Perhaps you mean <http://drupal.org/project/feed>? If so, this doesn't seem to be actively maintained, either. Modules like this are hardly ideal candidates to use when whinging about Drupal. Please whinge about core, or not at all. Cheers, Jaza.